Black Hat Day 1 Keynote Notes – Changing the Security Paradign – novainfosecportal.com
The threat to our networks is increasing at an unprecedented rate. The hostile environment we operate in has rendered traditional security strategies obsolete. Adversary advances require changes in the way we operate, and “offense” changes the game. Former FBI Executive Assistant Director Shawn Henry explores the state of the industry from his perspective as the man who led all cyber programs for the FBI.

Black Hat Day 2 Talk Notes – Hacking the Corporate Mind – novainfosecportal.com
Network defenders face a wide variety of problems on a daily basis. Unfortunately, the biggest of those problems come from the very organizations that we are trying to protect. Departmental and organizational concerns are often at odds with good security practices. As information security professionals, we are good at designing solutions to protect our networks, and the data housed on them.

Hacker Will Expose Potential Security Flaw In Four Million Hotel Room Keycard Locks – forbes.com
At the Black Hat security conference Tuesday evening, a Mozilla software developer and 24-year old security researcher named Cody Brocious plans to present a pair of vulnerabilities he’s discovered in hotel room locks from the manufacturer Onity, whose devices are installed on the doors of between four and five million hotel rooms around the world according to the company’s figures.

Arduino used as master key for hotel rooms – h-online.com
Using an inexpensive Arduino microcontroller board, security researcher Cody Brocious was able to open the Onity HT lock system used to secure rooms by a number of hotels around the globe. Brocious presented his findings yesterday (Tuesday) at the Black Hat information security conference in Las Vegas.

Relating Responsibility and Liability- at the core of BYOD – h30499.www3.hp.com
Just a quick post today, because I know everyone’s traveling around with Black Hat kicking up, and other conferences in full swing right now as well … but something we’ve been hitting on today just struck a nerve and I felt like I needed to write it up for everyone’s benefit.

Blackhat paper – daeken.com
Well, my talk for Blackhat (My Arduino can beat up your hotel room lock) is over. Things could’ve gone better in terms of execution — went through it too quickly and ended up using 30 minutes of my 60 minute slot. But people really enjoyed it and I spent a good hour or so answering questions.

EMET 3.5 Tech Preview leverages security mitigations from the BlueHat Prize – blogs.technet.com
Last year at Black Hat Las Vegas, we announced the BlueHat Prize contest – a large cash prize awarded for defensive security research. One month ago, we announced the names of three finalists. On Thursday night shortly after 10 PM, at the Microsoft Researcher Appreciation Party, we will unveil which finalist won which prize – the grand prize of $200,000 USD, the second prize of $50,000 USD, and the third prize of an MSDN subscription, valued at $10,000 USD. We are excited to reveal this to the finalists and to the world live at the same time.

The BlueHat Prize finalists, in their own words – blogs.technet.com
In a little less than 24 hours, we will award $200,000 to Jared DeMott, Ivan Fratric, or Vasilis Pappas as we name the inaugural winner of the BlueHat Prize – and we’ll award more than $50,000 for the two runners-up. As excitement builds towards that announcement, I was fortunate enough to sit down with each finalist and get to know them a little bit better. Each of these researchers coincidentally took on the problem of mitigating ROP exploits, but each had different reasons for participating in the contest and each proposed different solutions to the same problem.

Black Hat – Smashing the future for fun and profit – nakedsecurity.sophos.com
I’m delighted to once again be writing to you from the Black Hat USA conference in Las Vegas, Nevada. This year’s Black Hat is as big as ever and the talks seem to have improved over 2011.

Payment terminal flaws shown at Black Hat – computerworld.com
Three widely deployed payment terminals have vulnerabilities that could allow attackers to steal credit card data and PIN numbers, according to a pair of security researchers from penetration testing firm MWR InfoSecurity in the U.K.

Black Hat 2012: Best Giveaways and Booths – veracode.com
Veracode’s remedy for the Application Security headache is in full swing at the Black Hat Conference. Swing by the booth (#229) and you can pick up an “I <3 Binaries” t-shirt, some Veracode Vitamins, a Water Bottle, or a chance to win $1,000. But we aren’t the only great booth here at Black Hat this year; quite a few security vendors have gone all out to create great themes and fun giveaways.

iOS app hacking alive and well – download.cnet.com
While Apple was making its decidedly lackluster Black Hat debut just one floor up, security researcher Jonathan Zdziarski was explaining the dark art of iOS app hacking to a smaller but still crowded room.

Your Computer May Belong to Hackers – securitywatch.pcmag.com
“We are not terrorists. We will not release our proof of concept code.” Those words from Jonathan Brossard, CEO of Toucan Systems, sounded a bit extreme to me. However, by the end of his Black Hat presentation I totally changed my mind. Brossard presented a technique by which anyone with access to your computer or its components could seriously reduce its security in a permanent and undetectable fashion.

BlackHat talk – Las Vegas 2012 – zhodiac.hispahack.com
After a good talk with good feedback here is the deck I used and the video demo of win7/IE9 getting pwned.

Protocol-Level Evasion of Web Application Firewalls – community.qualys.com
Web application firewalls have come a long way from their modest beginnings more than a decade ago. They are now an accepted security best practice and have a significant role in compliance. But there is still a lot left to do before they can unlock their full potential.

Yup. That just happened… – passing-the-hash.blogspot.com
It’s 1115 BlackHat Standard Time and our talk just concluded. Here’s the high points.

Hacker delves into secret world of warranties – news.cnet.com
A young hacker here at Defcon 20 has pulled back the dense curtain of text and ambiguity surrounding warranties to show consumers how they can hack the warranty system — and to tell companies how to improve their warranty management.

Defcon Badge – etherpad.openstack.org
All of the badge binary sequences have been posted. Get in on the challenge and help out.

DEFCON 20: Day 1 Favorite Talk – it.toolbox.com
I promised a reader that I’d transcribe this talk for her, so here you go! Really good talk, although Michael drank a lot of beer during it… which probably made it even better! Some comments strewn about as usual. Enjoy everyone.

Defcon 20 Day 1 Review – resources.infosecinstitute.com
This article will discuss about the talks and events that happened on Defcon day 1.

Defcon Day 1 Keynote Notes – Shared Values, Shared Responsibility – novainfosecportal.com
We as a global society are extremely vulnerable and at risk for a catastrophic cyber event. Global society needs the best and brightest to help secure our most valued resources in cyberspace: our intellectual property, our critical infrastructure and our privacy.

Tools Released at Defcon Can Crack Widely Used PPTP Encryption – pcworld.com
Security researchers released two tools at the Defcon security conference that can be used to crack the encryption of any PPTP (Point-to-Point Tunneling Protocol) and WPA2-Enterprise (Wireless Protected Access) sessions that use MS-CHAPv2 for authentication.

Hardware Backdooring is practical – slideshare.net
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more …

Defcon Day 3 Talk Notes – Sploitego – novainfosecportal.com
Sploitego makes it easy to quickly develop, install, distribute, and maintain Maltego Local transforms. The framework comes with a rich set of auxiliary libraries to aid transform developers with integrating attack, reconnaissance, and post exploitation tools. It also provides a slew of web tools for interacting with public repositories.

HITCON 2012 Review and slides – reverse.put.as
HITCON was really great and well organized. It was bigger than I expected, with lots of curious and cool people. Went in the mood and took many pictures with everyone – there goes my anonymity!

Smart grid vulnerability could give hackers free electricity – rawstory.com
A cyber security researcher will demonstrate a toolset later this week which allows users to break into so-called “smart meters” that control a structure’s access to the power grid and water utilities, potentially enabling the user to modify the reported volume of services used or even avoid being charged altogether.

Hope Number 9

The HOPE Number Nine Speaker Schedule – hopenumbernine.net
There are three scheduled speaker tracks. Talks begin at 10am Friday morning, July 13, and end Sunday evening with Closing Ceremonies. The schedule details are presented in a few different ways.

SharePoint Security Playbook [eBook] – blog.imperva.com
Today, we conclude our blog series on SharePoint security, where each day we took a closer look at the five lines of defense you need to secure your SharePoint environment from both internal and external threats.

Tools

Hcon Security Testing Framework (HconSTF) v0.4 – Fire Base – darknet.org.uk
HconSTF is an Open Source Penetration Testing Framework based on different browser technologies, Which helps any security professional to assists in the Penetration testing or vulnerability scanning assessment. It contains webtools which are capable of carrying out XSS attacks, SQL Injection, siXSS, CSRF, Trace XSS, RFI, LFI, etc. It could prove useful to anybody interested in the information security domain – students, security professionals, web developers and so on.

Get-PEHeader – A Scriptable In-memory and On-disk PE Parsing Utility – exploit-monday.com
Introducing, yet another PE parsing utility! Where Get-PEHeader differentiates itself though is that it will parse 32 and 64-bit executables both on disk and loaded in memory. Where it really shines is in its scriptability. For example, you can pipe the output of ls (Get-ChildItem) or ps (Get-Process) right to Get-PEHeader and it will return to you a fully parsed PE header.

OWASP BWA VM version 1.0 released – owasp.blogspot.com
Today, I am proud to announce the release of the OWASP Broken Web Applications Project VM version 1.0. This new release is now available for download from https://sourceforge.net/projects/owaspbwa/files/.

GUIdumpASN – Next Generation – geminisecurity.com
The GUIdumpASN application allows you to view and print a human readable version of an Abstract Syntax Notation One (ASN.1) file. ASN.1 is a standard and flexible notation that describes data structures for representing, encoding, transmitting, and decoding data.

OWASP Xelenium Project – owasp.org
Xelenium is a security testing tool that can be used to identify the security vulnerabilities present in the web application. Xelenium uses the open source functional test automation tool ‘Selenium’ as its engine and has been built using Java swing.

Proxying Android 4.0 ICS and FS Cert Installer – blog.opensecurityresearch.com
The first step to testing Android applications is to inspect the application’s traffic. If the application uses SSL encryption, this requires forcing the app to use an intermediate proxy that allows us to grab, inspect, and possibly modify this traffic.

New Techniques in SQLi Obfuscation: SQL never before used in SQLi – client9.com
SQLi remains a popular sport in the security arms-race. However, after analysis of hundreds of thousands of real world SQLi attacks, output from SQLi scanners, published reports, analysis of WAF source code, and database vendor documentation, both SQLi attackers and defenders have missed a few opportunities.

Update to the NMAP Pass the Hash script – josephpierini.blogspot.com
I’ve had a lot of questions about this, so let’s see if this helps. When I score a password or a hash, I use an nmap script to quickly determine if this gives me local admin rights to the workstations and servers.

PENETRATION TESTING WITH HTTPFS: RFI – disse.cting.org
As every system administrator knows, mounting remote filesystem with protocols like sshfs or smbfs saves time and simplify interactions with remote machines. This leisure is usually not available when having limited remote access, like managing a web shell or during a web application penetration testing.

Vulnerabilities

16,000 New Password Hashes Dumped – novainfosecportal.com
Wow some people have been busy the past few days… There are three new significant password hash dumps that we discovered over on OZDC.net this evening.

284 More Password Hashes Dumped – novainfosecportal.com
There are three new relatively small password hash dumps that we discovered over on OZDC.net yesterday. Of course many of the records also contained other interesting data such as phone numbers, email addresses, full names, user ids, usernames, club ids, and user types.

Apple removes Windows malware from iOS App Store – zdnet.com
Malware hit the iOS App Store. Don’t worry though: it won’t harm your iPhone, iPad, or Mac (your Windows computer is a different story, but even that is a long shot), and Apple has already removed it.

Backdoor Tool Kit – Today’s Scary Web Malware Reality – blog.sucuri.net
This past week we came across a nice little package that we felt compelled to share with you. In it, the attacker makes use of a number of tools designed to help them infiltrate your environment. What’s likely most annoying about this kit is that it’s loaded into your environment, and uses your own resources to help hack you. That’s like being punched in the gut and slapped at the same time, not cool.

Cracking Down on Insider Fraud – bankinfosecurity.com
Three insider fraud schemes at banks in Minnesota, Texas and California illustrate just how difficult it is for institutions to thwart inside jobs.

Beyond the Hype of the Cybersecurity Act – bankinfosecurity.com
U.S. government federal agencies would be required to continuously monitor and conduct penetration tests of their IT systems under the latest version of the Cybersecurity Act of 2012.

Multi-context XSS injection contest – thespanner.co.uk
started to wonder a while ago how you could produce a vector that executed in many contexts. It’s cool because you can limit the number of requests an automated scanner uses without a high failure rate, you can even reduce the failure rate by making it as small as possible because some filters have a length limit. What does a multi-context vector look like I hear you ask?

Charlie Miller Takes on NFC, Charlie Miller Wins – threatpost.com
LAS VEGAS–Do not stand near Charlie Miller. Actually, you might not even want to let him walk past you. It’s not that Miller is a bad person, you understand. The problem is that Miller has figured out a couple of methods that enable him–or an attacker–to use the NFC chip in some phones to exploit vulnerabilities in the phones’ software and force users to visit a Web site or even gain complete control of the phone.

IOActive Announces Acquisition of Flylogic Engineering and Hardware Security Lab – prweb.com
IOActive, Inc., a global leader in information security services and research, today announced the acquisition of Flylogic Engineering and its assets, in addition to the appointment of Christopher Tarnovsky as IOActive’s Vice President of Semiconductor Security Services. In conjunction with this announcement, IOActive will be opening an expanded hardware and semiconductor security lab in San Diego, California.

Hackers Linked To China’s Army Seen From EU To D.C. – bloomberg.com
The hackers clocked in at precisely 9:23 a.m. Brussels time on July 18 last year, and set to their task. In just 14 minutes of quick keyboard work, they scooped up the e-mails of the president of the European Union Council, Herman Van Rompuy, Europe’s point man for shepherding the delicate politics of the bailout for Greece, according to a computer record of the hackers’ activity.

Global Payments: data breach cost a whopping $84.4 million – computerworld.com
Global Payments, which back in the spring reported a data breach in which information associated with an estimated 1.4 million payment cards was stolen, has revealed that expenses associated with investigations, fines and remediation has hit $84.4 million.

About Us

Infosec Events is dedicated to the growing information security industry. We strive to provide useful information and resources to those in the industry. Don't hesitate to contact us should you need anything.